1.\" $NetBSD: hosts.equiv.5,v 1.9 2014/09/19 16:02:58 wiz Exp $ 2.\" 3.\" Copyright (c) 1997 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25.\" POSSIBILITY OF SUCH DAMAGE. 26.\" 27.Dd November 26, 1997 28.Dt HOSTS.EQUIV 5 29.Os 30.Sh NAME 31.Nm hosts.equiv , 32.Nm .rhosts 33.Nd trusted remote hosts and host-user pairs 34.Sh DESCRIPTION 35The 36.Nm hosts.equiv 37and 38.Nm .rhosts 39files list hosts and users which are 40.Dq trusted 41by the local host when a connection is made via 42.Xr rlogind 8 , 43.Xr rshd 8 , 44or any other server that uses 45.Xr ruserok 3 . 46This mechanism bypasses password checks, and is required for access via 47.Xr rsh 1 . 48.Pp 49Each line of these files has the format: 50.Pp 51.Bd -unfilled -offset indent -compact 52hostname [username] 53.Ed 54.Pp 55The 56.Em hostname 57may be specified as a host name (typically a fully qualified host 58name in a DNS environment) or address, 59.Dq Li +@netgroup 60(from which only the host names are checked), 61or a 62.Dq Li \&+ 63wildcard (allow all hosts). 64.Pp 65The 66.Em username , 67if specified, may be given as a user name on the remote host, 68.Dq Li +@netgroup 69(from which only the user names are checked), 70or a 71.Dq Li \&+ 72wildcard (allow all remote users). 73.Pp 74If a 75.Em username 76is specified, only that user from the specified host may login to the 77local machine. 78If a 79.Em username 80is not specified, any user may login with the same user name. 81.Sh FILES 82.Bl -tag -width /etc/hosts.equiv -compact 83.It Pa /etc/hosts.equiv 84Global trusted host-user pairs list 85.It Pa ~/.rhosts 86Per-user trusted host-user pairs list 87.El 88.Sh EXAMPLES 89.Li somehost 90.Bd -filled -offset indent -compact 91A common usage: users on 92.Em somehost 93may login to the local host as the same user name. 94.Ed 95.Li somehost username 96.Bd -filled -offset indent -compact 97The user 98.Em username 99on 100.Em somehost 101may login to the local host. 102If specified in 103.Pa /etc/hosts.equiv , 104the user may login with only the same user name. 105.Ed 106.Li +@anetgroup username 107.Bd -filled -offset indent -compact 108The user 109.Em username 110may login to the local host from any machine listed in the netgroup 111.Em anetgroup . 112.Ed 113.Bd -literal -compact 114+ 115+ + 116.Ed 117.Bd -filled -offset indent -compact 118Two severe security hazards. 119In the first case, allows a user on any 120machine to login to the local host as the same user name. 121In the second case, allows any user on any 122machine to login to the local host (as any user, if in 123.Pa /etc/hosts.equiv ) . 124.Ed 125.Sh WARNINGS 126The username checks provided by this mechanism are 127.Em not 128secure, as the remote user name is received by the server unchecked 129for validity. 130Therefore this mechanism should only be used 131in an environment where all hosts are completely trusted. 132.Pp 133A numeric host address instead of a host name can help security 134considerations somewhat; the address is then used directly by 135.Xr iruserok 3 . 136.Pp 137When a username (or netgroup, or +) is specified in 138.Pa /etc/hosts.equiv , 139that user (or group of users, or all users, respectively) may login to 140the local host as 141.Em any local user . 142Usernames in 143.Pa /etc/hosts.equiv 144should therefore be used with extreme caution, or not at all. 145.Pp 146A 147.Pa .rhosts 148file must be owned by the user whose home directory it resides in, and 149must be writable only by that user. 150.Pp 151Logins as root only check root's 152.Pa .rhosts 153file; the 154.Pa /etc/hosts.equiv 155file is not checked for security. 156Access permitted through root's 157.Pa .rhosts 158file is typically only for 159.Xr rsh 1 , 160as root must still login on the console for an interactive login such as 161.Xr rlogin 1 . 162.Sh SEE ALSO 163.Xr rcp 1 , 164.Xr rlogin 1 , 165.Xr rsh 1 , 166.Xr rcmd 3 , 167.Xr ruserok 3 , 168.Xr netgroup 5 169.Sh HISTORY 170The 171.Nm .rhosts 172file format appeared in 173.Bx 4.2 . 174.Sh BUGS 175The 176.Xr ruserok 3 177implementation currently skips negative entries (preceded with a 178.Dq Li \&- 179sign) and does not treat them as ``short-circuit'' negative entries. 180